1. Field of the Invention
The present invention generally relates to an apparatus and method for controlling a firewall, and a computer program product.
2. Description of the Related Art
Session Border Controllers (SBC) have appeared in the market. An SBC is a device that works on an internal network connected to the Internet through a firewall. In reality, the SBC represents a group of devices that include a session server that performs session control by using a session control protocol, and a firewall that is controlled by the session server.
The session server decides whether a new session needs to be established through the firewall from the result of execution of the session control protocol. When a new session needs to be established, the session server identifies an address and a port number to be used for the new session based on the result of the execution, and changes the setting of the firewall to permit the passage of the new session. Thus, the setting of the firewall are changed from an external device.
Such a technology for changing the settings of the firewall from an external device has been widely used. For example, US-A 2003/0142681 teaches to first perform the network-access authentication and then set a different value as Quality of Service (QoS) parameter of the firewall depending on the result of the authentication.
On the other hand, a device called an authentication agent has become available. Such an authentication agent performs network-access authentication, i.e., decides whether communication between an internal network and an external network is to be permitted. The authentication agent can be included in the SBC. When the authentication agent is included in the SBC, the authentication agent first authenticates an external terminal, and then the authenticated external terminal performs negotiation on session used for data communication with a communication target terminal through a session server, and decides a port number for use. Finally, the session server changes the setting of a firewall so that communication can be performed through the port with the port number decided by the negotiation.
In the conventional technology, however, security is not fully ensured at the time of start of data session after establishment of the communication. That is, in the conventional technology, when an external terminal starts a new data session by using a session control protocol permitted in the network-access authentication, the session server controls the firewall without checking the result of previously performed network-access authentication.
Therefore, it cannot be verified whether data session is established by an external terminal that is authenticated by the network access authentication, i.e., permitted to perform network access, and hence, the setting of the firewall can be disadvantageously changed even for an external terminal that is not authentic.